[
https://issues.apache.org/jira/browse/HADOOP-16730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang updated HADOOP-16730:
-------------------------------------
Fix Version/s: (was: 3.3.1)
3.3.0
> ABFS: Support for Shared Access Signatures (SAS)
> ------------------------------------------------
>
> Key: HADOOP-16730
> URL: https://issues.apache.org/jira/browse/HADOOP-16730
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs/azure
> Affects Versions: 3.2.1
> Reporter: Thomas Marqardt
> Assignee: Sneha Vijayarajan
> Priority: Major
> Fix For: 3.3.0
>
> Original Estimate: 1,008h
> Remaining Estimate: 1,008h
>
> ABFS supports OAuth and Shared Key but currently lacks support for [Shared
> Access Signatures
> (SAS)|[https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview]].
> SAS is a great way to constrain access to a low-privilege ABFS client. The
> ABFS client does not need to possess persistent credentials for accessing
> storage but instead can request temporary, constrained access tokens from a
> trusted endpoint. This endpoint can authenticate the caller, make an
> authorization decision and return a constrained SAS token. The token may
> have an expiration, it may be scoped to a specific file or directory, and it
> may grant an action or set of actions such as read, write, list, or delete.
> Azure Storage also has a new identity based SAS scheme in preview named
> Delegation SAS. These new Delegation SAS have these advantages over Service
> SAS:
> 1) Delegation SAS provide authentication as well as authorization. The user
> identity associated with each request will appear in the logs when logging is
> enabled for the account.
> 2) Instead of using storage account keys to sign tokens, Delegation SAS
> relies on keys assigned to each user. These keys are called user delegation
> keys. If a storage account key is leaked, an attacker would have full access
> to the storage account. If a user delegation key is leaked, an attacker
> would only have access to resources that user has access to within the Blob
> service–for example, the user might only have read access to a specific
> container.
> This feature will add support for the ABFS driver to authenticate against a
> trusted endpoint. The endpoint will return a SAS which the ABFS driver will
> use to access Azure storage. The SAS may be a container or directory SAS to
> be used for all subsequent operations, and thus cached for the lifetime of
> the filesystem. Or it may be a SAS to be used for the current filesystem
> operation, in this case, the ABFS driver will request a SAS for each
> operation.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
